SentinelLabs uncovered Aoqin Dragon, a Chinese-linked advanced persistent threat (APT) primarily targeting organizations in Southeast Asia and Australia since 2013, including government, education and telecommunication organizations. 


According to SentinelLabs research, Aoqin Dragon has a history of using document lures with pornographic themes to infect users and uses USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.


SentinelLabs assesses that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Based on an analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, SentinelLabs believes the threat actor is a small Chinese-speaking team with potential association to UNC94 (Mandiant).


John Bambenek, Principal Threat Hunter at Netenrich, says, “the Chinese government has always done remarkable work in highly-specific targeting designed to infect their espionage targets. They are spending real effort to do the research to make sure they can discretely infect organizations and operate for extended periods of time without being discovered.” 


Throughout the firm’s analysis of Aoqin Dragon campaigns, SentinelLabs observed a clear evolution in their infection chain and TTPs. Researchers divide their infection strategy into three parts.


  1. Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.
  2. Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
  3. Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.


To stay under the radar, the threat group has evolved tactics, techniques and procedures (TTPs) several times and will continue to find new methods to evade detection and stay longer in their target network and continue to conduct espionage operations. 


For the full report, please visit sentinelone.com.